So many people do this. It's the real problem, from my perspective, but I don't know how to solve it...even people I have the opportunity to talk to about it, at length, and explain the risks (like girlfriends), often still keep the same practice. Sometimes, they'll compromise and introduce a "secure password" for important stuff like bank accounts and GMail, and an "easy password" for stuff like forums and unimportant stuff.
An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.
The solution is to use a password manager. Keepass and Lastpass are pretty popular solutions and you'll be thankful later when one site is inevitably compromised and you don't feel like you have to change all your passwords.
It is absolutely worth the time to setup and start using.
That's my solution, but I've been unable to convince others to do the same. It's too complicated, they get confused, it doesn't work automagically enough. Whatever the reason, I have never successfully converted someone non-technical to using a password manager.
Those are great, and I've used 1Password and LastPass to generate / store passwords for a couple years now, but they're not a proper solution.
If I have my super-secure password that I generated in my browser, Chrome will sync it and let me log in on my browser too. Great! Now how do I get that into my phone when the APP requests me to log in?
Answer: Some password system needs to tie into the IME of computers and phones in order to be effective and secure wherever your passwords need to go.
OpenID / OAuth seems like the general answer, but it's not easy to use, and it's not practical unless I can get my bank, Facebook, some mom-and-pop website and HN to all use the same system. IME integration would bypass all of these, and would be so much simpler than getting everyone to learn the OAuth dance.
> Now how do I get that into my phone when the APP requests me to log in?
As someone who recently factory reset their tablet and phone, boy was that painful. The password generator passwords are long and use a wide variety of characters, numbers and punctuation. Entering them is really tedious and time consuming. Usually you can't see the entered password so a single error means you have to keep trying again.
I've been using a password manager to manage my super-secure password system for a few weeks. Since I started, my friends have been calling me paranoid.
What disturbs me about this, why I feel it's relevant, is that these are people with the technical ability to configure their own minecraft servers and run jailbreak/root(?) hacks on consoles. Almost all of them have at least taken 1 or 2 C++ college courses or Codecademy courses. These people aren't technically challenged, nor are they Luddites. They should be aware of how insecure most passwords are, but they feel it's not relevant to their life.
Any suggestions on how to deal with that problem -- people calling you paranoid because you don't use an easy to remember password on all sites?
When you open an entry in KeePassDroid it adds entries to the notification pull down menu to copy either the username or password. I find this works quite well. Browse to the key in keepassdroid, then go to the app you need to login to. Pull down the notification shade and select copy username to clipboard. Paste. Pull the notification shade and select copy password to clipboard. Paste. Done.
1Password has an iPhone app (and probably Android, too). You can sync all of your passwords over the network or dropbox. It's a bit more tedious than just using the 1Password browser plugins, but it works. Just copy the password from the app and paste it into the app/website/etc. 1Password will also open a browser window and enter your account details for you if you're using mobile web.
LastPass has a great mobile apps with "copy notifications" if you're fortunate to be on Android. It makes it much faster than it would be typing a password anyway.
So many people /do/ do this - but how many of them deign to lecture a CSR at a cell phone company on their lax security policies, then write up a long-winded blog about doing so, all the while being blind to, or wilfully ignorant of, their own security faux pas?
Oh, and now the CSR knows his banking password too. Handy.
So, he's lazy. Or maybe he was lying to Crystal in an effort to underscore the hazards of Verizon's procedure. However, that doesn't affect the validity of his article.
I personally would never use a banking, brokerage, or charge card [edit: or email] password for any other purpose. But, for other sites, I'm as lazy as he is ..
Wait, the author reusing a password means that it's not a problem that Verizon is storing passwords in plaintext? No, the point stands as claimed (unless it's refuted). Yes, the author did something dumb. No, he's not wrong about this because of that fact. And yes, this is an important post if true.
Users being lazy about security doesn't excuse companies from being lazy about security. I don't know if the latter is true in this case, but the line of thinking you have presented is surely flawed.
Best, since this is a website based authentication: Support system has a feature where CSR can pop up a text box to enter the password in (or at least generate a link to give to the customer); password entered is checked against hashed database password, CSR gets to see whether or not the password was correct.
Failing that, customer has to give CSR the password, CSR enters it, it is checked against hashed password (CSR sees plaintext but it could be arranged that it is never stored, which is better than storing all plaintext in a database).
I don't think he actually meant this was true. I think he was saying it just for that fact that it is true for many other people (at least that's what I gathered from the note in that section of the article).
An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.